A more holistic and manageable approach to network security is being demanded by businesses as they face a plague of viruses and spam and increasingly sophisticated attacks from hackers and crackers.

The pressure is on for companies to review vulnerable code and security policies and for vendors to move to intelligent, multi-layered security systems that tightly integrate with network management.

"People are moving beyond simple firewall and anti-virus applications to a solutions approach where hardware, software and management of security is viewed as a whole, often embracing areas outside IT, including surveillance," says IDC New Zealand security research specialist Jane McPherson.

An annual survey of CIOs in Australia and New Zealand has seen IT security move from 17^th position to number four among top concerns. IDC expects the local market for IT spending to experience 25.8 per cent compound growth over the next five years.

And while outsourcing options were becoming more enticing it seems New Zealanders prefer to keep security close to the corporate chest. This represents a degree of paranoia but Ms McPherson says it at least shows companies are taking the issues seriously.

The fastest growing sector will be the small to medium enterprises (SME) sector with the highest spend expected in services including implementation, maintenance, support and education. Falling hardware costs, and high-end vendors finally tailoring product to better suit New Zealand businesses is another growth incentive.

The maturity of Wi-fi and increased use of other remote access technologies are also key drivers, along with growing pressure to conform to standards and government imposed regulations.

Ms McPherson says many companies seemed to have a lax attitude toward policies and procedures and have little understanding about new government initiatives to protect consumer data, electronic transactions and privacy law changes, for example in the Crimes Amendment Bill.

"Many companies are more liable than they realise if consumer data gets into the wrong hands. Once they become aware of the risk this will also become a major driver of security spending."

Computerland, which consults in the area of security and represents most of the major technology players, rates highest in intended purchases in 2004 (22.6 %) and its partner Cisco had highest brand awareness (22.3 %).

When viewing remaining brand awareness and purchase intentions together IDC rated in descending order: Symantec, Gen-i, Hewlett Packard, Telecom Advanced Solutions (TAS), Marshall Software, 3-Com, Microsoft (Great Plains), IBM, Datacom, Total Team, Network Associates (McAfee). However 10.7 per cent of respondents who planned to purchase security products this year remained unsure who they would commit to.

The proliferation of ‘malware’ - malicious software, ranging from unexpected code to viruses, Trojan horses, worms and even spam - is a major contributor to increased security spending. According to TrendMicro PC viruses cost businesses approximately $US55 billion in damages in 2003 about double the damage of 2002 and more than four times that of 2001.

The need to keep on top of, not only antivirus updates but also operating system and software patches, was embarrassingly evident by the fact that across all products, Microsoft released 51 security advisories in 2003, 30 of them impacting its Windows XP operating system.

Mobility the greatest challenge

A Gartner report in May 2004 suggested 90 per cent of mobile devices lack protection to ward off hackers and many users aren’t taking proper precautions. John Girard, research vice president at Gartner, says wireless mobility is the greatest change to occur in corporate data collection and distribution in the past decade presenting new threats which require sound management policies to protect information assets and contain costs.

Gartner recommends moving all PDAs and phones into the PC support group, installing PDA firewalls, implementing cost controls and purchasing mobile management tools.

Peter Benson managing director Security-Assessment.com believes securing badly written web and system applications is becoming more important than securing the perimeter. "There is no such thing as a perimeter these days. It’s gone. Organisations connect to partners, they have remote dial-up and VPNs – they’ve become virtual enterprises."

Mr Benson says security should be preventative and include application level testing particularly with besoke software development and web development. "Security products are just products not security. If you build systems right in the first place firewalls, antivirus and intrusion detection should be the backstop not the first point of alert."

He cites ‘cross-over scripting’, ‘SQL injection’ and ‘phishing’ attacks as threats made possible through code written without a security requirements definition. A web form may be used to write an SQL script to a back-end database and if not filtered properly can compromise the system. E-commerce sites can be manipulated to access account information. Phishing, where people are conned into giving up their account details through a legitimate looking request from a bank for example, can divert data to a malicious person.

Mr Benson says penetration testing a couple of times a year is not enough." Continuous auditing is necessary as part of vulnerability management." Security-Assessment.com uses

Qualys, a fully automated enterprise level web services application which scales to look at every device on network to determine vulnerability and has the tools to manage issues as they arise.

ISPs are increasingly seen as business partners and need to have high levels of security to remain a valued link in the communications chain. Iconz for example has two permanent security officers and every quarter brings in a specialist to conduct a security audit. It’s just had its Unix and Microsoft environment audited right down to the IP level.

CEO Sean Weekes believes it’s important to have an independent audit and for ISPs in particular to segregate the hosting and local environment. "If you stand still the environment goes backwards. You must keep proactive. Those companies that can’t afford to have someone monitor their networks should be outsourcing," he says.

Iconz uses Sophos anti-virus tools, Packeteer 6500 at its international gateway, and Packeteer 4000 for national monitoring. Both trigger alarms if there any issues with IP traffic. It also uses Esphion to monitor for anomalies.

While many vendors are now integrating antivirus, firewall and anti-spam products the speed at which viruses are proliferating still leaves users wide open to attack. Vendors can typically release a patch file within two to four hours of a new threat being released into the wild, however the Slammer worm was able to hit five and a half million hosts in about 11 minutes.

"Two hours doesn’t cut it anymore. The whole approach of looking for a virus signature and then blocking it means someone has to get the virus first," says Cisco systems engineer Arron Scott.

Cisco has been looking at ways to better protect the enterprise and has come up with the concept of the self-defending network. The first step was the acquisition Okena, now re-branded as Cisco Secure Agent (CSA) which detects viral behaviour.

Self defending network

It spent three and a half years formulating tables to pick up unacceptable behaviour. "Why would your SQL database try to probe thousands of hosts per second? Why would an application want to format its own hard drive?" he asks.

CSA can be installed on the server and desktop to protect against viruses and hackers and crackers. "There’s no difference in behaviour just that one is automated and one is manual," says Mr Scott.

Intrusion detection systems that inspect packets for a bad payload are fairly common and increasingly embedded into firewalls and intelligent routers. The highest level of inspection and intelligent response however still requires a dedicated ‘black box’ which doesn’t slow down the network or become a point of vulnerability itself.

"With our application we can tell the router to filter the packets and intelligently reconfigure the network to cope with the attack," says Mr Scott.

While traffic coming from the internet can be easily scanned how do you validate outgoing traffic from PCs on a LAN, and ensure each machine has current anti-virus software or system patches?

According to Cisco part of the solution is enabling the password protection and authentication, which most network managers ignore. Instead of letting everyone plug into any Ethernet port, part of Cisco’s cunning plan insists on user name and identification using 802.1x port authentication. "You need to allow the network to intelligently determine who’s allowed to plug in."

The second phase of Cisco’s ‘self defending network’ will ask for a ‘security posture’, requesting information about the anti-virus version, the software installed and the state of the operating system. "You might have an interface to the Microsoft operating system to ensure the latest patches have been installed. If the computer has peer-to-peer file sharing from Kazaar for example, it might be locked out of the network," says Mr Scott.

Symantec, TrendMicro and McAfee are all developing servers that work with Cisco’s agent software to ensure the right files are in place. The first code will be released in late June as part of a software or firmware upgrade to Cisco’s routers and switches. Cisco is also working with Microsoft and other operating system and firewall vendors to broaden the scope of its coverage.

Kiwi attitude challenged

And while much of the focus on security is about monitoring for network anomalies monitoring the behaviour of people is just as important. Jeff Shaw, information systems manager for the North Shore City Council says New Zealanders are fairly laid back and trusting so it’s a continuing challenge to change staff behaviour to become more security conscious.

Mr Shaw has recently put the council’s through a thorough security audit ahead of opening up its systems to become more public facing. The audit identified a number of areas for improvement, including the need to update policies and procedures and have a framework to ensure these followed.

"We have kept a definite line where we don’t allow any direct interaction between the public and our internal systems but that’s going to change very shortly as we move into things like web payments of parking, property files and other areas," says Mr Shaw.

Network security expert Tony Krzyzewski agrees a lot of network security problems have more to do with the lack of skills and policies than technology. "If you don’t have a core set of documents to define how security is going to work and how people are to relate to this how will people know what is and isn’t allowed."

He’s worked with Vector, Land Information New Zealand, Freightways and the North Shore City Council and warns much of the threat to organisations today comes from inside. "The problem that causes severe pain and quite often financial loss often comes from the middle manager who goes wrong, or information leakage from users ho share information or take it with them to another organisation."

Mr Krzyzewski who conducts security audits for his company Kaon Technologies says not having security policies and procedures in place is a recipe for anarchy. Without the right checks in place it’s difficult to know when problems are occurring, and even with added intelligence and packet monitoring you need people skilled enough to interpret what is uncovered.

"The skill level of the people who are running, monitoring and controlling networks has declined over the years. There’s far more to it than just bolting together a firewall, mail protection and authentication systems. You have to understand the technology behind what you are doing and most people don’t," warns Mr Krzyzewski.

"You have technical support people putting systems together without security, vendors who don’t take security into consideration, users who don’t know security is a requirement and administrators working without guidelines who over-ride other systems for convenience sake. What you end up with is a big melt down," he says.

Monitoring behaviour is becoming the new benchmark for security. While technology is increasingly providing the tools to analyse each packet and pick up erroneous network activity, managing human behaviour through policies, procedures and improved security awareness is the pre-requisite to success.

 Keith Newman